diff --git a/flake.nix b/flake.nix index feae0be..bc03ac4 100644 --- a/flake.nix +++ b/flake.nix @@ -247,6 +247,7 @@ mail.imapHost = "imap.purelymail.com"; mail.smtpHost = "smtp.purelymail.com"; dotfilesRepo = "https://github.com/nmasur/dotfiles"; + backup.s3.glacierBucket = "noahmasur-archive"; hostnames = { audiobooks = "read.${baseName}"; files = "files.${baseName}"; diff --git a/modules/nixos/services/backups.nix b/modules/nixos/services/backups.nix index 58bde30..da54f35 100644 --- a/modules/nixos/services/backups.nix +++ b/modules/nixos/services/backups.nix @@ -22,6 +22,11 @@ description = "S3 access key ID for backups"; default = null; }; + glacierBucket = lib.mkOption { + type = lib.types.nullOr lib.types.str; + description = "S3 bucket for glacier backups"; + default = null; + }; }; }; @@ -69,5 +74,30 @@ # timerConfig = { OnCalendar = "00:05:00"; }; # environmentFile = backup.s3File; # }; + + secrets.s3-glacier = { + source = ../../../private/s3-glacier.age; + dest = "${config.secretsDirectory}/s3-glacier"; + }; + secrets.restic = { + source = ../../../private/restic.age; + dest = "${config.secretsDirectory}/restic"; + }; + + services.restic.backups = { + default = { + repository = "s3:s3.us-east-1.amazonaws.com/${config.backup.s3.glacierBucket}/restic"; + paths = [ "/data/images" ]; + environmentFile = config.secrets.s3-glacier.dest; + passwordFile = config.secrets.restic.dest; + pruneOpts = [ + "--keep-daily 14" + "--keep-weekly 6" + "--keep-monthly 12" + "--keep-yearly 100" + ]; + }; + }; + }; } diff --git a/modules/nixos/services/immich.nix b/modules/nixos/services/immich.nix index 38031bf..cb582b1 100644 --- a/modules/nixos/services/immich.nix +++ b/modules/nixos/services/immich.nix @@ -40,6 +40,9 @@ # Point localhost to the local domain networking.hosts."127.0.0.1" = [ config.hostnames.photos ]; + # Backups + services.restic.backups.default.paths = [ "/data/images" ]; + }; } diff --git a/private/restic.age b/private/restic.age new file mode 100644 index 0000000..1ee4c3b --- /dev/null +++ b/private/restic.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyAvWi9T +NnFzUnlKUGord21NUy9OT1NDRjhIbFB6MUc3TzgwVzY3OHpFSlN3CmhuNFY1L1FB +VFBHY1lNNjFYdFZyeHoxZUZyTFdpVHhqM1JqMUM3YWljVUUKLT4gc3NoLWVkMjU1 +MTkgWXlTVU1RIFI4aGU5Z2NUeGNSNmEzNFk0anBBbUw0NUtHTE55WmgxOUN0T1p1 +QUZyR2cKeTNack0vMVVsNTFMbmFSUXdUUkw2MTlnSzhRajVSWXJvZmV2QjlFcUZY +QQotPiBzc2gtZWQyNTUxOSBuanZYNUEgc01kWFdYS3BBay96Uzd5cG1MMlNMNXhQ +NTV4NVpvc2lLZkpLWkhZZlRrVQo0SXJhWUVMVUtYb1hEOEtJUnJoY2t0OUlpQVY2 +UUZYdHpBcWRvUU0yRHlvCi0+IHNzaC1lZDI1NTE5IENxSU9VQSB2NTZHWUd2c3o1 +c0NKTThaMkgyeG54Nmw1dHZBQkZoYmJkOTZNcnVyMUJVCldzQ1NHNk8vTGRMNHlM +eU0yYmltMkhlUjY2NWxhdHQ2N3BMUjdzTk9PMFkKLT4gc3NoLWVkMjU1MTkgejFP +Y1p3IHh3OEEzTmIrQXhtSTE2REFUV1loVE5vNTRUbEJmNEE4YmhBckRmZGpwVXMK +OEo5RXdwU1JuY3FPQnJNQ1hMdHJxcE4xVnVVWVVLREROYjNsZkN3ZzV2cwotLS0g +aXMrandHZTJzME95VFRuUDRzWDQ5Z3N5RGxVOUUxQ1FGNGpvN3Y4SllSNApAOIi/ +0iP9cccbkUqLZJicpIlKAP+QsYM8Bfb/wYyaQPnh4vlKqil4LpQEfFW+/J82DIti +8o/ddK8YDlLg3lwyiZ2dUm3O87jA7KEgd/g= +-----END AGE ENCRYPTED FILE----- diff --git a/private/s3-glacier.age b/private/s3-glacier.age new file mode 100644 index 0000000..00c5aaf --- /dev/null +++ b/private/s3-glacier.age @@ -0,0 +1,18 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBuQTZM +TTg0ai9yNi9Ia3pFNW0vb3JQczZtVEVyNkFNVzBlUVpVd3ZBbndrCklqdS8zeGky +WEN0YW5xck5sSXpXeFZCbHY0NHhDMU5SeGlaYmN4Szc0b1EKLT4gc3NoLWVkMjU1 +MTkgWXlTVU1RIGJVZTZBdERTNUt6d0sxeGVOcnRtNmdCSlRKWUNjRHByMkZucUlz +Nm5FMTQKbHFtNnM4ZCtzdFNTa214ZVRkaFdmZnFYOCs1Z25YTDVVKzloYUVHVlg1 +cwotPiBzc2gtZWQyNTUxOSBuanZYNUEgOXFwSzByaUdidFRWbE5seFNEVDYxRWtq +OXZURnEzVWphM0VoVnJvSURoUQpGbEt4YmcraDZOcXRTQUF1ekw4RTRCN2JRR1NK +QlRQaGRZd1RIMWNiRWpjCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBzTTVsbnVjWUxt +L0hyM21RS2w2a2NIY2xvSmZ0OUdDWGFVcG5IYlNhUFNzClY1bmdNUkRYR2QyYVFW +VHF3enZqUlZqUWlvZlI2aHZrREdwZGUwdzdXUHMKLT4gc3NoLWVkMjU1MTkgejFP +Y1p3IDN4cThQRjdvTWJ2S2FaMjZ0RHlDeElDc1BuU0JDSzlpcFdzT2ZhLzA1QmcK +TjlFMkgzOFhKbkdvUWt2SGhaUUJXdjBxK2hUeE1sSzBsNWJyNG8rUlZRbwotLS0g +SGw4VmpCMktjQ0ZpUExnWUtsOHhHS0tZckoxeTdtZXMyVXpWT09Ea1NUMAoRRzA+ +0rbfJ+eVeccDaulmqh+Wv3T1/+SQQJYD5trume3vSzXgRxJYeXR/BespsDzWJ3yg +McHYNvEK76stD3vopKvpDU3Nk861xp++SavJtrIVKon6YJl6a6Ox+GxhrNk0+5f9 +xgDWhIHwzHLPvyseYNjRFy8GsYaP2tT9TGMrQHFTAKeuvA== +-----END AGE ENCRYPTED FILE-----